TR Dojo: IT security risks that might be lurking under your feet

Bill Detwiler: It’s easy to get distracted by high profilesecurity threats and let more subtle — but equally destructive — risks fallthrough the cracks.

I'm Bill Detwiler, and during this episode of TR Dojo, I'llhelp you uncover security risk that are likely lurking right under your nose,waiting to explode.

IT admins are often so busy just trying to keep up with theobvious security threats (like malware and external attacks) that many moreproblems fly under the radar.

Well, IT pro and TechRepublic blogger Justin James puttogether a list of 10 security risks you may have in your organization rightnow that you aren't even aware of.

I don't have time to go through all of them during thisvideo, but I'll give you the run down on what I think are the top five and linkto Justin's complete list in the TR Dojo blog.

First on his list are your employees.

Whether it's Jim in accounting, Carol the IT admin, or Johnthe CEO, your own employees are likely your biggest security risk. Sometimes,it's deliberate. Disgruntled employees can express their anger by hurting yourcomputer systems, stealing data, or holding information hostage.

And of course, it's possible for even well-meaning employeesto make a major mistake. All it takes is an employee bringing in a virus from ahome PC on a USB drive to nullify all your forward-facing firewalls andmeasures.

Good governance, education, setting (and enforcing)policies, and knowing your employees are your best steps to avoiding thesesecurity landmines.

Next on the list are coding mistakes.

Despite years of warnings and education, some programmersstill leave common security holes in their software. Justin still comes acrosssoftware with SQL injection and cross-site scripting vulnerabilities.

As it’s often hard to switch software packages once yourcompany's already purchased and deployed them, make sure you evaluate potentialsoftware for security holes and keep the software you do run up to date.

The third security risk on our list are Ancient “rock solid”servers.

Every IT department has a few of these — those serversburied deep in the data room that “just won’t quit" and are probablyrunning an application that's impossible to migrate to another machine.

Sadly, these servers are often a major security risk.Manufacturers may no longer be issuing patches for them, and we note want topatch them for fear of breaking them. And even if we want to patch them, manyolder operating systems often have inherent security holes that no patch canfix.

You need to replace these servers one way or the other.Justin believes best first step is to virtualize them. From there, it is a loteasier to try and update them.

It’s not just the old servers that are big security holes;it's also the applications running on them, as well as other legacyapplications you may have running.

These applications would be a lot less problematic if theywere current with their patches, but usually they aren’t. All too often, wemiss a major version update because the upgrade is difficult, and then we’re sofar behind the ball that it’s impossible to catch up.

Or perhaps the applications are completely discontinued. Iknow it can be painful and expensive, but the best thing you can do is find amigration path to a recent version or another package entirely.

The last security risk on this list is one that Justin isseeing more and more these days--applications that use local Web server as anadmin console.

Sometimes, these applications are installed by users withoutpermission. But occasionally, the IT department just does not realize whatcomes with an application.

While these servers can be locked down so that they are nota risk (and with luck, their installed like this be default), you should verifythat the applications are secured properly before allowing them to be installedon users’ machines.

Well that does it for this edition of TR Dojo. These arejust half of the hidden security holes Justin outlined in his article. I'lllink to his full list, which includes risks like local admins and rogue machines,in the TR Dojo blog.

And as always, for more teachings on YOUR path to becomingan IT Ninja, visit trdojo.techrepublic.com, sign-up for our newsletter, orfollow me on Twitter.

Thanks for visiting the TR Dojo.